João, isto acontece pelo seguinte:<div><br></div><div>- As tentativas de registro não se repetem, ou seja, as tentativas são em cima de ramais sequenciais, e não o mesmo ramal (3 vezes), por exemplo, o atacante envia tentativas de registro não mais de uma vez no mesmo ramal, mas sim, 1 vez e cada ramal do scanner, de forma sequencial:</div>
<div><br></div><div><meta http-equiv="content-type" content="text/html; charset=utf-8">sip:100@xxx.xxx.xxx.xxx - No matching peer found</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div><meta http-equiv="content-type" content="text/html; charset=utf-8">sip:200@xxx.xxx.xxx.xxx - No matching peer found</div>
<meta http-equiv="content-type" content="text/html; charset=utf-8"><div><meta http-equiv="content-type" content="text/html; charset=utf-8">sip:300@xxx.xxx.xxx.xxx - No matching peer found</div><div><br></div><div>- Se o atacante enviasse a tentativa de registro, repetindo a extensão, aí sim seria respeitado o numero maximo de tentativas:</div>
<div><br></div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div><meta http-equiv="content-type" content="text/html; charset=utf-8">sip:100@xxx.xxx.xxx.xxx - No matching peer found</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>
<meta http-equiv="content-type" content="text/html; charset=utf-8">sip:100@xxx.xxx.xxx.xxx - No matching peer found</div><div><meta http-equiv="content-type" content="text/html; charset=utf-8">sip:100@xxx.xxx.xxx.xxx - No matching peer found</div>
<div><br></div><div>- O que ocorre quando você diz que após 100 tentativas é que o bloqueio ocorre, é em função da repetição do ciclo do scanner, que vai tentar repetir o processo, aí bloqueia.</div><div><br></div><div>- O mais "sensato" é gerar uma regra para bloquear com apenas uma tentativa, pois levando em consideração que é você quem bloqueia/libera acesso de registro aos ramais, poderia ser facilmente liberado as redes internas, e esta regra mais rigorosa para as redes externas.</div>
<div><br></div><div>Att.,</div><div><br></div><div><br><div class="gmail_quote">Em 8 de fevereiro de 2011 10:23, João Marcelo Queiroz <span dir="ltr"><<a href="mailto:jmbq@bol.com.br">jmbq@bol.com.br</a>></span> escreveu:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Com a ajuda de vários amigos aqui da lista, finalmente meu fail2ban está bloqueando os constantes ataques que venho sofrendo. Mas apesar de ter configurado o jail.conf para banir o IP após 2 tentativas o que vejo é que às vezes preciso de 100 tentativas ou mais para que o f2b bloqueie o IP. O que consegui perceber é que o bloqueio é efetuado após 1 segundo, ou seja, se em 1 segundo o atacante fizer 1000 tentativas ou 10 tentativas, não importa, o bloqueio será feito apenas após esse tempo. Pelo menos é o que pude constatar pelos logs.<br>
<br>
Já alterei o valor do maxretry de 3 para 2 e do findtime de 60 para 30 e 1000, sem efeito perceptível.<br>
<br>
Algo mais que possa fazer? Reforço que todos os ataques são barrados pelo F2B, ou seja, o F2B está funcionando, mas somente após várias tentativas.<br>
<br>
Abaixo exemplo de um ataque.<br>
<br>
_________________________<br>
<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1790833979"<sip:1790833979@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"100"<sip:100@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"200"<sip:200@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"300"<sip:300@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"400"<sip:400@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"500"<sip:500@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"600"<sip:600@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"700"<sip:700@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"800"<sip:800@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"900"<sip:900@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1000"<sip:1000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"2000"<sip:2000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"3000"<sip:3000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"4000"<sip:4000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"5000"<sip:5000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"6000"<sip:6000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"7000"<sip:7000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"8000"<sip:8000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"9000"<sip:9000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"0000"<sip:0000@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"123"<sip:123@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1234"<sip:1234@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"12345"<sip:12345@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"123456"<sip:123456@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"123123"<sip:123123@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"12341234"<sip:12341234@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"1234512345"<sip:1234512345@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"105"<sip:105@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"205"<sip:205@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"305"<sip:305@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"405"<sip:405@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"505"<sip:505@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"605"<sip:605@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"705"<sip:705@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"805"<sip:805@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"905"<sip:905@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"test"<sip:test@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"noauth"<sip:noauth@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"101"<sip:101@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"202"<sip:202@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"303"<sip:303@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:20] NOTICE[3196] chan_sip.c: Registration from '"404"<sip:404@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"505"<sip:505@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"606"<sip:606@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"707"<sip:707@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"808"<sip:808@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
[Feb 8 02:18:21] NOTICE[3196] chan_sip.c: Registration from '"909"<sip:909@xxx.xxx.xxx.xxx>' failed for '203.86.167.220' - No matching peer found<br>
__________________________<br>
<br>
Segue parte do log do fail2ban:<br>
<br>
__________________________<br>
2011-02-04 17:39:28,126 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4<br>
2011-02-04 17:39:28,127 fail2ban.jail : INFO Creating new jail 'ssh-iptables'<br>
2011-02-04 17:39:28,127 fail2ban.jail : INFO Jail 'ssh-iptables' uses poller<br>
2011-02-04 17:39:28,141 fail2ban.filter : INFO Added logfile = /var/log/iptables<br>
2011-02-04 17:39:28,141 fail2ban.filter : INFO Set maxRetry = 5<br>
2011-02-04 17:39:28,142 fail2ban.filter : INFO Set findtime = 1000<br>
2011-02-04 17:39:28,142 fail2ban.actions: INFO Set banTime = 518400<br>
2011-02-04 17:39:28,185 fail2ban.jail : INFO Creating new jail 'asterisk-iptables'<br>
2011-02-04 17:39:28,186 fail2ban.jail : INFO Jail 'asterisk-iptables' uses poller<br>
2011-02-04 17:39:28,186 fail2ban.filter : INFO Added logfile = /var/log/asterisk/fail2ban<br>
2011-02-04 17:39:28,187 fail2ban.filter : INFO Set maxRetry = 2<br>
2011-02-04 17:39:28,188 fail2ban.filter : INFO Set findtime = 1000<br>
2011-02-04 17:39:28,188 fail2ban.actions: INFO Set banTime = 518400<br>
2011-02-04 17:39:28,204 fail2ban.jail : INFO Creating new jail 'ssh-tcpwrapper'<br>
2011-02-04 17:39:28,204 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' uses poller<br>
2011-02-04 17:39:28,205 fail2ban.filter : INFO Added logfile = /var/log/iptables<br>
2011-02-04 17:39:28,205 fail2ban.filter : INFO Set maxRetry = 2<br>
2011-02-04 17:39:28,207 fail2ban.filter : INFO Set findtime = 1000<br>
2011-02-04 17:39:28,207 fail2ban.actions: INFO Set banTime = 518400<br>
2011-02-04 17:39:28,225 fail2ban.jail : INFO Creating new jail 'apache-tcpwrapper'<br>
2011-02-04 17:39:28,225 fail2ban.jail : INFO Jail 'apache-tcpwrapper' uses poller<br>
2011-02-04 17:39:28,225 fail2ban.filter : INFO Set maxRetry = 6<br>
2011-02-04 17:39:28,226 fail2ban.filter : INFO Set findtime = 1000<br>
2011-02-04 17:39:28,227 fail2ban.actions: INFO Set banTime = 518400<br>
2011-02-04 17:39:28,232 fail2ban.jail : INFO Creating new jail 'proftpd-iptables'<br>
2011-02-04 17:39:28,232 fail2ban.jail : INFO Jail 'proftpd-iptables' uses poller<br>
2011-02-04 17:39:28,233 fail2ban.filter : INFO Set maxRetry = 6<br>
2011-02-04 17:39:28,234 fail2ban.filter : INFO Set findtime = 1000<br>
2011-02-04 17:39:28,234 fail2ban.actions: INFO Set banTime = 518400<br>
2011-02-04 17:39:28,245 fail2ban.jail : INFO Creating new jail 'sasl-iptables'<br>
2011-02-04 17:39:28,245 fail2ban.jail : INFO Jail 'sasl-iptables' uses poller<br>
2011-02-04 17:39:28,246 fail2ban.filter : INFO Added logfile = /var/log/mail.log<br>
2011-02-04 17:39:28,246 fail2ban.filter : INFO Set maxRetry = 2<br>
2011-02-04 17:39:28,247 fail2ban.filter : INFO Set findtime = 1000<br>
2011-02-04 17:39:28,248 fail2ban.actions: INFO Set banTime = 518400<br>
2011-02-04 17:39:28,255 fail2ban.jail : INFO Jail 'ssh-iptables' started<br>
2011-02-04 17:39:28,256 fail2ban.jail : INFO Jail 'asterisk-iptables' started<br>
2011-02-04 17:39:28,258 fail2ban.jail : INFO Jail 'ssh-tcpwrapper' started<br>
2011-02-04 17:39:28,261 fail2ban.jail : INFO Jail 'apache-tcpwrapper' started<br>
2011-02-04 17:39:28,263 fail2ban.jail : INFO Jail 'proftpd-iptables' started<br>
2011-02-04 17:39:28,275 fail2ban.jail : INFO Jail 'sasl-iptables' started<br>
2011-02-06 03:11:52,980 fail2ban.actions: WARNING [asterisk-iptables] Ban 188.72.203.180<br>
2011-02-07 03:23:03,461 fail2ban.actions: WARNING [asterisk-iptables] Ban 188.161.233.236<br>
2011-02-07 23:18:09,081 fail2ban.actions: WARNING [asterisk-iptables] Ban 184.106.181.209<br>
2011-02-07 23:18:11,431 fail2ban.actions: WARNING [asterisk-iptables] 184.106.181.209 already banned<br>
2011-02-08 02:18:21,829 fail2ban.actions: WARNING [asterisk-iptables] Ban 203.86.167.220<br>
<br>
________________________<br>
Abaixo o contexto asterisk-iptables do jail.conf:<br>
<br>
________________________<br>
<br>
# Fail2Ban configuration file<br>
#<br>
# Author: Cyril Jaquier<br>
#<br>
# $Revision: 747 $<br>
#<br>
<br>
# The DEFAULT allows a global definition of the options. They can be override<br>
# in each jail afterwards.<br>
<br>
[DEFAULT]<br>
<br>
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not<br>
# ban a host which matches an address in this list. Several addresses can be<br>
# defined using space separator.<br>
ignoreip = 127.0.0.1 xxx.xxx.xxx.xxx<br>
<br>
# "bantime" is the number of seconds that a host is banned.<br>
bantime = 518400<br>
<br>
# A host is banned if it has generated "maxretry" during the last "findtime"<br>
# seconds.<br>
findtime = 1000<br>
<br>
# "maxretry" is the number of failures before a host get banned.<br>
maxretry = 2<br>
<br>
...<br>
<br>
[asterisk-iptables]<br>
<br>
enabled = true<br>
filter = asterisk<br>
action = iptables-allports[name=ASTERISK, protocol=all]<br>
sendmail-whois[name=ASTERISK, dest=<a href="mailto:XXX@XXXX.com.br">XXX@XXXX.com.br</a>, sender==<a href="mailto:XXX@XXXX.com.br">XXX@XXXX.com.br</a><br>
logpath = /var/log/asterisk/fail2ban<br>
maxretry = 2<br>
bantime = 518400<br>
<br>
<br>
<br>
____________________<br>
Abaixo o filtro asterisk no fail2ban:<br>
<br>
____________________<br>
# Fail2Ban configuration file<br>
<br>
[INCLUDES]<br>
# Read common prefixes. If any customizations available -- read them from<br>
# common.local<br>
#before = common.conf<br>
<br>
[Definition]<br>
#_daemon = asterisk<br>
# Option: failregex<br>
# Notes.: regex to match the password failures messages in the logfile. The<br>
# host must be matched by a group named 'host'. The tag '<HOST>' can<br>
# be used for standard IP/hostname matching and is only an alias for<br>
# (?:::f{4,6}:)?(?P<host>\S+)<br>
# Values: TEXT<br>
<br>
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password<br>
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found<br>
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch<br>
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL<br>
NOTICE.* <HOST> failed to authenticate as '.*'$<br>
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)<br>
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)<br>
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*<br>
<br>
# Option: ignoreregex<br>
# Notes.: regex to ignore. If this regex matches, the line is ignored.<br>
# Values: TEXT<br>
ignoreregex =<br>
<br>
<br>
_______________________________________________<br>
KHOMP: qualidade em placas de E1, GSM, FXS e FXO para Asterisk.<br>
- Hardware com alta disponibilidade de recursos e qualidade KHOMP<br>
- Suporte técnico local qualificado e gratuito<br>
Conheça a linha completa de produtos KHOMP em <a href="http://www.khomp.com.br" target="_blank">www.khomp.com.br</a><br>
_______________________________________________<br>
Headsets Plantronics com o melhor preço do Brasil.<br>
Acesse agora <a href="http://www.voipmania.com.br" target="_blank">www.voipmania.com.br</a><br>
VOIPMANIA STORE<br>
________<br>
Lista de discussões AsteriskBrasil.org<br>
<a href="mailto:AsteriskBrasil@listas.asteriskbrasil.org">AsteriskBrasil@listas.asteriskbrasil.org</a><br>
<a href="http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil" target="_blank">http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil</a><br>
______________________________________________<br>
Para remover seu email desta lista, basta enviar um email em branco para <a href="mailto:asteriskbrasil-unsubscribe@listas.asteriskbrasil.org">asteriskbrasil-unsubscribe@listas.asteriskbrasil.org</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Leandro,<br><br>
</div>